Current CVC documentation does not explicitly specify that for IS (inspection system) end entities one should not change holder reference (subject DN in EJBCA) in order to be able to issue IS CVC certificates via the web service calls.
In particular, the following scenario will break renewal of CVC certificates via web services:
1. Create an IS end entity.
2. Issue one IS certificate to the end entity (either via public web page or web service).
3. Change IS holder reference (CN).
4. Issue another IS certificate to the same end entity (using EJBCA public web page).
5. Try to renew IS certificate via web service (this will fail).
The gist is that once an IS certificate has been issued for an end entity, the holder reference should never be changed. If it turns out that an error was made during the issuance of initial IS certificate, a new end entity should be created instead.
I have not tried to reproduce the above steps (requires fiddling with web services and coding), but this is what a customer's scenario was like.